157. The Neglected Password
By Andrew D. Wright
A password is usually the weakest link in any secure system. Many users
already have passwords to keep track of and remembering things without
prompting is hard for some.
Still, this doesn't change the fact that passwords are generally there for
a good reason. Internet access and email access are more powerful than
people give credit for. Words in an email can be passed on to thousands of
other people for example. Jobs have been lost and careers ruined over
leaked emails.
Your protection against abuse is your password. This is how you keep
people out of your business. Whether you are famous or not, yes, there are
people looking to break into your email.
Some people are vague on what a password is. They confuse it with their
login or username, they can't understand computer terms, they throw their
hands up in the air over such complex things.
It's easy. Logging in to something is a Challenge followed by a Response.
You are walking up to a big fort. The guard asks who you are, the
Challenge. You tell them your username and they say they have heard of you
but before they can let you in, you have to prove you are who you say you
are. You then give them the Response, your password. The guard now knows
it's really you, the gate opens and you are allowed into the fort.
Recently a scam email was sent out to users at a local Internet provider
telling them that due to system upgrades they should reply to the email
with their username and password or risk being locked out of their email.
One user did send in their password and within a week thousands of spam
emails were being sent out from their account with their real name and
address on them. The Internet provider was flooded with complaints and
their domain found its way onto email blacklists all over the world as a
source of spam.
The lesson here is that no matter who an email says it is from, your
password is private information that you NEVER give out over email no
matter what they say to you. Don't write your password on your cheques,
don't tell it to strangers, keep it to yourself. If you do keep written
copies of your passwords someplace, make it someplace secure under lock
and key. Nobody without a court order in their hand has the right to ask
you for any password.
For security, passwords should be remembered, not saved. Passwords
shouldn't be words found in the dictionary, since dictionary-based attacks
can be done quickly. Ideally passwords should be at least eight characters
long, using numbers, punctuation marks and upper and lower case letters
since these add many more possible passwords to the mix.
Every person has things that they know well that others do not. A
childhood pet, a place they went as a teenager, the car their father
drove. Details which are firm in memory, not possible to lose in the
normal run of events. So given Spot, The Quarry, and Impala, a password
like Spot;Quar+1mpala might be hard for this person to forget but
pretty
close to impossible for anyone else to guess or brute force by trying all
possible combinations of characters.
If you know the words to a song, use the first two letters from each word
to make a password. If you know some technical terms for something, take
pieces from each word and mix in some numbers. Avoid simple patterns, car
license plate numbers and using your street address or phone number.
The Mousepad runs every two weeks. It's a service of Chebucto Community
Net, a community-owned Internet provider. If you have a question about
computing, email mousepad@chebucto.ns.ca or
click here. If we use your question
in a column, we'll send you a free mousepad.
Originally published 28 August 2009
